Rule Update

20-030 (June 30, 2020)


* indicates a new version of an existing rule

Deep Packet Inspection Rules:

Apache JServ Protocol
1010361 - Apache Tomcat Local File Inclusion Vulnerability (CVE-2020-1938)
1010184* - Identified Apache JServ Protocol (AJP) Traffic

DCERPC Services
1001839* - Restrict Attempt To Enumerate Windows User Accounts (ATT&CK T1087)

MQTT Server
1010357 - Eclipse Mosquitto Improper Authentication Vulnerability (CVE-2017-7650)

Suspicious Server Application Activity
1009549* - Detected Terminal Services (RDP) Server Traffic - 1 (ATT&CK T1015,T1043,T1076,T1048,T1032,T1071)

Universal Plug And Play Service
1010358 - Identified CallStranger Vulnerability in UPNP Devices (CVE-2020-12695)

Unix SSH
1008313* - Identified Many SSH Client Key Exchange Requests (ATT&CK T1110)

Web Application Common
1010252 - Sonatype Nexus Repository Manager Stored Cross-Site Scripting Vulnerability (CVE-2020-10203)

Web Client Mozilla Firefox
1010355 - Mozilla Firefox Memory Corruption Vulnerability (CVE-2017-5400)
1010356 - Mozilla Firefox Sensitive Information Disclosure Vulnerability (CVE-2017-5407)

Web Server Common
1005728* - Parameter Value Length Restriction
1010362 - VMware Cloud Director Code Injection Vulnerability (CVE-2020-3956)
1010366 - vBulletin 'widgetConfig' Unauthenticated Remote Code Execution Vulnerability (CVE-2019-16759)

Windows Remote Management Client
1010073* - WinRM Service Detected & Powershell RCE Over HTTP - Client (ATT&CK T1028)

Windows Services RPC Client DCERPC
1008477* - Identified Usage Of WMI Execute Methods - Client (ATT&CK T1047)

Integrity Monitoring Rules:

1002859* - Local Security Authority (LSA) Authentication Packages modified (ATT&CK T1174)
1010353 - Local Security Authority (LSA) Notification Packages modified (ATT&CK T1131)

Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.